[openssl/openssl] 7a949a: Don't ask for an invalid group in an HRR
Matt Caswell
noreply at github.com
Fri Jun 23 13:27:08 UTC 2023
Branch: refs/heads/master
Home: https://github.com/openssl/openssl
Commit: 7a949ae5f1799a6629cf6deb44ae0f38455a73dd
https://github.com/openssl/openssl/commit/7a949ae5f1799a6629cf6deb44ae0f38455a73dd
Author: Matt Caswell <matt at openssl.org>
Date: 2023-06-23 (Fri, 23 Jun 2023)
Changed paths:
M ssl/statem/extensions.c
Log Message:
-----------
Don't ask for an invalid group in an HRR
If the client sends us a group in a key_share that is in our
supported_groups list but is otherwise not suitable (e.g. not compatible
with TLSv1.3) we reject it. We should not ask for that same group again
in a subsequent HRR.
Fixes #21157
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
(Merged from https://github.com/openssl/openssl/pull/21163)
Commit: adf33f9e268b17ec1b4739707abb40b03b21ea6a
https://github.com/openssl/openssl/commit/adf33f9e268b17ec1b4739707abb40b03b21ea6a
Author: Matt Caswell <matt at openssl.org>
Date: 2023-06-23 (Fri, 23 Jun 2023)
Changed paths:
M test/recipes/70-test_tls13hrr.t
Log Message:
-----------
Add a test for an invalid group in the HRR
Test that if the client sends a key share for a group in the server's
supported_group list but is otherwise invalid, that we don't select it
in the HRR.
Reviewed-by: Tomas Mraz <tomas at openssl.org>
Reviewed-by: Todd Short <todd.short at me.com>
(Merged from https://github.com/openssl/openssl/pull/21163)
Compare: https://github.com/openssl/openssl/compare/a02571a02473...adf33f9e268b
More information about the openssl-commits
mailing list